The Trade and Co-operation Agreement agreed between the EU and UK on Christmas Eve (the ‘Agreement’) includes an important interim measure designed to ensure that transfers of personal data between the EU and UK can continue to take place.
Without the interim measure, once the Brexit transition period ended on 31st December 2020, the UK would have been treated as a ‘third country’ for data protection purposes. As the EU Commission has not yet made a decision that the UK data protection regime offers adequate protection for personal data (known as an ‘adequacy decision’), this would have meant that transfers of personal data from the EU to the UK would have been prohibited unless an approved transfer mechanism was in place or one of the limited GDPR exceptions applied. For many organisations, this would have resulted in a scramble to put in place EU approved standard contractual clauses.
However, as a result of the Agreement, a ‘grace period’ of between 4 and 6 months has been put in place. During this period, transfers of personal data from the EU to the UK can continue to take place as if the UK was still a member of the EU. The hope is that, before the end of the 6-month cut-off, the EU Commission will have granted an adequacy decision in favour of the UK (the grace period will automatically come to an end if an adequacy decision is made).
Transfers of personal data from the UK to the EU did not need to be catered for in the Agreement since the UK has already taken steps to recognise the adequacy of EU data protection law (at least for the time being).
What is the practical implication of the grace period for organisations?
The grace period means that organisations can, for the next 6 months, continue to receive personal data from the EU or access personal data stored in the EU without needing to take additional steps or identify an applicable exception under the GDPR.
However, organisations need to keep an eye on the horizon. Whilst the signs are looking good, there is no guarantee that the EU Commission will make an adequacy decision in the UK’s favour during the grace period. Consequently, organisations need to think about how they will ensure that personal data transfers can continue to take place in the event of a no-adequacy outcome (particularly if those data transfers are of a business-critical nature).
Other Brexit consequences
EU to UK data transfers aside, the Agreement doesn’t change the position relating to the other data protection consequences which flow from Brexit. So, for example:
- the UK now has its own data protection regime known as the UK GDPR, which, although based upon the EU GDPR will operate separately;
- some UK organisations may now need to appoint a representative in the EU; and
- some UK organisations will now be subject to supervision by more than one supervisory authority.
Some of the changes may mean that you need to update your data protection compliance documents and contracts.
If you’d like more information about what your organisation may need to do to prepare for the end of the data transfer grace period or about the other data protection consequences of Brexit, please get in touch with a member of our Information Law Team.